digg

Facebook Connect Join Digg About

IE8, Safari, and Firefox All Fall in Hacking Test

pcmag.com by Larry Seltzer Day One of the CanSecWest Pwn2Own hacking contest finished Wednesday, with fully-patched copies of IE8, Safari, and Firefox all falling to hacker "Nils".

Who dugg this? Made popular Mar 20, 2009

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

209 Comments

show profanity settings
expand all
  • AndrewWiggin, on 03/20/2009, -2/+113Not sure why they don't mention that Chrome was part of the "games" too but was never cracked. That seems like it's interesting information to me.

    I'm not saying it's more secure (it could just be that it has less market share and so people don't care about spending the time looking for exploits in it, or because it's just newer than everything else), but I like Chrome so I like that result.
  • gcnaddict, on 03/20/2009, -3/+90You know what's funny?

    The exploit used to knock Safari was known by the same guy who won last year. He saved it because it's one exploit per win, and it turned out that the exploit had not been patched by this year.

    *sigh*
  • diggymow, on 03/20/2009, -2/+72Read this from the guy who hacked the Mac in seconds:http://blogs.zdnet.com/security/?p=2941

    "Google Chrome was the one target left standing. Surprised?
    There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. The’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox."
    It seems like it might actually be more secure. At least for the moment anyway. Also like Chrome, also like the result :)
  • Zodiachus, on 03/20/2009, -2/+72"For all the browsers on operating systems, the hardest target is Firefox on Windows. With Firefox on Mac OS X, you can do whatever you want. There’s nothing in the Mac operating system that will stop you."
    So, Firefox it is when using Windows. But what the heck do I use on Mac?

    "There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. The’ve got that sandbox model that’s hard to get out of."
    Now I can't wait for a Mac version of Chrome.
  • Khast, on 03/20/2009, -3/+70Where there is a will, there WILL be a way. And if they patch the holes, it will only be a matter of time before other holes are found. Wash, rinse, repeat.

    Doesn't matter how secure you think you are, if someone really wanted to get in, they can, and will. (And if they haven't tried, don't think of yourself as being 'secure'...think of yourself as 'too unimportant for them to give a crap about'. )
  • Jeremyz0r, on 03/20/2009, -14/+75Charlie did the Macbook in within seconds.
    http://blogs.zdnet.com/security/?p=2917
  • diggymow, on 03/20/2009, -6/+62FTA: "Why Safari? Why didn’t you go after IE or Safari?
    It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.
    It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it."

    Really though people need to realize nothing is secure really. Also 'mactards' probably wasn't necessary.
  • doshindude, on 03/20/2009, -22/+72MACS CANT GET VIRUSES ITS A LIE
    /idiot mac user
  • azureskies88, on 03/20/2009, -30/+76http://blogs.zdnet.com/security/?p=2941

    Hopefully Mactards will now shut the ***** up about how OS X is inherently more secure than Windows. Of course, they still won't, since they are immune to reason.
  • azureskies88, on 03/20/2009, -6/+51No, it will be presented to every idiot who thinks that Macs are inherently more secure than Windows machines.
  • hardeep1singh, on 03/20/2009, -11/+55OS X is the most secure OS ever.

    (for the initial couple of seconds, after that it falls like a castle of cards.)

    I wonder what mac lovers have to say about this.
  • diggymow, on 03/20/2009, -5/+48Someone is digging down all the comments about being OS X being insecure. For some reason I'm trying to stop it. I think I need to go to bed.
  • diggymow, on 03/20/2009, -2/+44I'm confused by your comment.
    FTA: “It took a couple of seconds. They clicked on the link and I took control of the machine,” Miller said moments after his accomplishment."
    I assume the link is the kind of thing that anyone could click on. Not something he would need physical access for. It did fall within seconds and before any of the other machine. That doesn't exactly scream more secure than any other platform to me.
  • Snoosy, on 03/20/2009, -1/+37If you try to hack a lynx, it'll probably maul your face off.
  • blackinthmiddle, on 03/20/2009, -2/+37Well it took them seconds to apply their exploits. No doubt, they didn't just go there and say, "Hmmm...let me try this." They perfected their attacks at home, then came to the contest ready to go.
  • Archimedes0212, on 03/20/2009, -1/+33Fall works in the sentence.

    http://dictionary.reference.com/browse/fall
    definition 10: to succumb to attack: The city fell to the enemy.
  • dtd00d, on 03/20/2009, -0/+30Whats funnier is that Safari was the only browser to be compromised _twice_ on Day 1.

    http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn ...
  • XenonBG, on 03/20/2009, -4/+33dugg for honestly admitted subjectivity :)
  • godsdead, on 03/20/2009, -0/+23Thats great =] i cant belive they havent fixed the hole, in a YEAR.
  • diggymow, on 03/20/2009, -2/+25It seems like the same could be said for your comment....
  • theaceoffire, on 03/20/2009, -1/+22Well, the Irish Virus for one:
    http://www.jacobsen.no/anders/blog/archives/images ...

    Symantic's page about it:
    http://www.symantec.com/security_response/writeup. ...
  • SkippyDoorknob, on 03/20/2009, -0/+18Browsers, browsers, they all fall down!
  • battleroyalex, on 03/20/2009, -0/+18"Total Douche" rofl.. not so bright. I'm actually surprised you spelled douche right.
  • jemka, on 03/20/2009, -4/+22Yeah, but seconds? Come on. I would like to think these organizations can put together something that takes a little longer to be hacked.
  • diggymow, on 03/20/2009, -0/+17Firefox fell, only Chrome hasn't so far. This is a better article about it all: http://blogs.zdnet.com/security/?p=2941
  • DeathRay2K, on 03/20/2009, -3/+20Opera wasn't even included. Really it's Chrome FTW, as it was the only browser that wasn't hacked.
  • jakem1, on 03/20/2009, -3/+20That's right and it's a shame that all the reports I've seen have made it look as if IE8 fell first. Take a look at the title of this post and you'd be forgiven for thinking that Safari lasted longer.
  • bigteebo, on 03/20/2009, -2/+18Did lynx ever have any security issues? Just wondering.
  • yfph, on 03/20/2009, -1/+16Steve must be proud with your slavish devotion to his cause.
  • inactive, on 03/20/2009, -3/+18Bottom line: The fact that Safari got pwned crumpled your panties.
  • RandomNetUser, on 03/20/2009, -1/+16@ Seeds
    It sounds like he's just trying to make a buck on something he's good at. Would you go to Apple HQ and lay down mulch, plant trees, shrubs and flowers outside for free? Of course not. It's something they pay landscapers good money to do. Why should he just hand over something he's put a lot of hard work into to a company that is known to pay good money for that kind of work.
  • hardeep1singh, on 03/20/2009, -14/+29'But what the heck do I use on Mac?'

    Don't use Mac. Simple
  • Hexxagonal, on 03/20/2009, -0/+14They didn't test Opera. Opera is still at 0 threats on Secunia though http://secunia.com/advisories/product/10615/
  • ezekahr, on 03/20/2009, -1/+15Oh how naive you truly are...
  • alerad, on 03/20/2009, -2/+16This is digg after all... but at least the horde of mac fanboys is starting to get diluted.
  • yfph, on 03/20/2009, -1/+14Not according to the man who brought Safari to its knees in a few seconds after it surfed to his clickable exploit. According to him, he choose the least secure browser AND OS to run his exploit. Please remove the wool from your eyes.

    http://blogs.zdnet.com/security/?p=2941
  • ThantiK, on 03/20/2009, -0/+13By the way...the lack of details is because hackers/crackers at the contest sign a non-disclosure agreement, info of the exploit is passed to vendors to be fixed, until a certain time period, then released. These are 0-day exploits, you don't want them out in the wild...some idiot myspace teenager is bound to click it.
  • hardeep1singh, on 03/20/2009, -4/+17I expected this kind of a response, since you ran out of valid arguments.
  • Snoosy, on 03/20/2009, -5/+18Hackers don't cause insecure apps. Insecure apps cause hackers.
  • elementop, on 03/20/2009, -0/+12If you rely upon security through obscurity, you will get hacked. It's just a matter of time. However, it can be a valid *layer* in the defense of your system.

    Case in point: for many years, I ran SSH on my home computer on a non-standard port. I very, very rarely saw any unauthorized connection attempts because most script kiddies only try SSH on port 22. After I changed SSH to run on port 22, I suddenly saw a *lot* of attempts to brute force user names and passwords on my computer.

    Conclusion: I have *reduced* the risk to my network by running SSH on a non-standard port, because most script kiddies are reaching for the low-hanging fruit and won't take the time to nmap all 65536 ports to find which one is running SSH -- they'll just hit port 22 and go somewhere else when they see it isn't open. This is *NOT SUFFICIENT* security because if you want to target me specifically, you'll nmap -sV -p 1-65535 -PN (for example) and find that I'm running SSH on a non-standard port. Therefore, I also keep SSH and openSSL patched, I firewall the port that SSH listens on so that you can only connect from IP addresses I might actually come from, etc. However, since it is theoretically possible that a script kiddie on an allowed IP address could get lucky when trying to guess my user name and password, I have, in fact, improved security by running SSH on a non-standard port, since I have reduced the number of exploit attempts.
  • inactive, on 03/20/2009, -0/+12Hacking.
  • Nimda11, on 03/20/2009, -1/+13@ clak..... shhhhhhhhhhhhhh, your letting everyone see your ignorance.
  • MCA2142, on 03/20/2009, -3/+15CB Radio = Hack Proof internet for those in Wyoming.
  • speedk0re, on 03/20/2009, -3/+15Once again proving my theory that Netscape Navigator 2.02 is hacker proof. It also renders animated gifs beautifully and plays midis in unparalleled smoothness.
    http://en.wikipedia.org/wiki/File:Netscape2.02_Scr ...
  • csuftech, on 03/20/2009, -2/+13I think it's pretty important to mention that Chrome is the only browser that wasn't hacked. The guy that broke Safari said that the reason is that even if there is a bug in Chrome, it's a real pain in the ass to try and exploit it because of their sandbox. I think this might be something Google will be touting in the near future.
  • Jhiaxuz, on 03/20/2009, -1/+12He kept yelling and called them IE6. This broke the browsers' spirit.
  • chadsmith729, on 03/20/2009, -0/+11Buried, and reported. Thanks for playing!
  • HelAom, on 03/20/2009, -2/+13Thanks diggy

    I'm impressed at the difficulty in hacking Chrome. Interesting posts, I like how he brings Mac down a few notches
  • FyberOptic, on 03/20/2009, -5/+16Unfortunately fanboys still downplay this kind of stuff. Apple fans say it "doesn't count, the guy had time to prepare", Firefox fans say "doesn't matter, Mozilla would have it patched in a matter of days", blah blah.

    Fact remains, Apple security is horrendous, and Mozilla's security is "not good". Anyone who would argue against these simple facts (and yes, they are facts, when you're not a zealot) obviously hasn't read any security news or been to any security websites in the last several years.

    If people would stop comparing e-penises and be more ready to admit that their products of choice are flawed, then there might be more pressure on the developers to make sure these problems don't happen to start with. I mean it took us this long to finally see developers focus on Javascript speed, which is something I never thought I'd see happen. It took embarrassing public benchmarks for that to happen. So if people started calling out these companies on their poor security records more often, then they might take it up a notch.

    No browser will ever be completely secure, but some of this stuff is completely avoidable. Especially in Apple's case.
  • dazparkour, on 03/20/2009, -1/+12I already have -

    You will need:
    1 PC, no hard drive.
    1 USB key, add linux operating system then make key read only.
    1 Printer.

    Have someone else load the pages, print the pages, then bring you the pieces of paper.

    This method is quite secure without the printing.
  • Fetching more discussions...
    Show 51 - 100 of 216 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.